Authentication and Authorization¶
Authentication (proving identity) and authorization (granting access) mechanisms: password policies, MFA, JWT tokens, OAuth 2.0/OIDC, Kerberos, RBAC, and PAM. Covers both conceptual patterns and implementation.
Key Facts¶
- Authentication = who you are; Authorization = what you can do
- MFA factors: something you know + something you have + something you are
- SMS-based 2FA is the weakest MFA option (SIM swapping, SS7 attacks)
- FIDO2/WebAuthn hardware keys are the strongest consumer MFA
- OAuth 2.0 is for authorization (access tokens); OIDC adds authentication (ID tokens) on top
- NIST 800-63B recommends against forced password rotation - it leads to weaker passwords
Password Security¶
Password Policies (Modern)¶
- Minimum 12+ characters
- Complexity encouraged but not required (length > complexity per NIST)
- Check against breach databases (Have I Been Pwned API)
- No forced periodic rotation (NIST 800-63B)
- Account lockout after failed attempts (5 attempts, 15-30 min lockout)
Password Hashing¶
# bcrypt (recommended)
import bcrypt
salt = bcrypt.gensalt(rounds=12)
hashed = bcrypt.hashpw(password.encode(), salt)
# Verify
bcrypt.checkpw(input_password.encode(), hashed)
// Node.js with bcryptjs
const bcrypt = require('bcryptjs');
const salt = await bcrypt.genSalt(10);
const hashed = await bcrypt.hash(password, salt);
const isMatch = await bcrypt.compare(inputPassword, hashed);
Multi-Factor Authentication (MFA)¶
| Method | Security | UX | Notes |
|---|---|---|---|
| FIDO2/WebAuthn | Highest | Good | Hardware keys (YubiKey), phishing-resistant |
| TOTP | High | OK | Google Authenticator, Authy - time-based codes |
| Push notifications | High | Good | Mobile app approval |
| SMS codes | Low | Easy | SIM swapping, SS7 interception attacks |
JWT (JSON Web Tokens)¶
Structure¶
Three Base64-encoded parts separated by dots: header.payload.signature
Implementation (Node.js)¶
const jwt = require('jsonwebtoken');
// Generate
const token = jwt.sign(
{ userId: user.id, email: user.email },
process.env.JWT_SECRET,
{ expiresIn: '24h' }
);
// Verify middleware
const auth = (req, res, next) => {
const token = req.headers.authorization?.split(' ')[1];
if (!token) return res.status(401).json({ error: 'No token' });
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
req.userId = decoded.userId;
next();
} catch (e) {
res.status(401).json({ error: 'Invalid token' });
}
};
NestJS JWT Strategy¶
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
constructor() {
super({
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
secretOrKey: process.env.JWT_SECRET,
});
}
async validate(payload: any) {
return { userId: payload.sub, email: payload.email };
}
}
OAuth 2.0 / OIDC¶
- OAuth 2.0 - authorization framework (grants access tokens)
- OIDC (OpenID Connect) - authentication layer on top of OAuth 2.0 (ID tokens)
- Flows: Authorization Code (server apps, most secure), Client Credentials (service-to-service), Implicit (deprecated)
Kerberos (Active Directory)¶
Ticket-based authentication - no passwords sent over network: 1. Client authenticates to KDC (Key Distribution Center) 2. KDC issues TGT (Ticket Granting Ticket) 3. Client uses TGT to request service tickets for specific services 4. Service validates ticket without contacting KDC
Kerberos attacks: Kerberoasting, AS-REP Roasting, Golden/Silver Tickets (see active directory attacks).
LDAP¶
Directory service protocol for querying/modifying user databases. Used with Active Directory. Port 389 (plaintext), 636 (LDAPS).
SSO (Single Sign-On)¶
One authentication grants access to multiple services. Reduces password fatigue, centralizes access control. Risk: SSO compromise = access to everything.
Patterns¶
RBAC (Role-Based Access Control)¶
// NestJS Guard implementation
@Injectable()
export class RolesGuard implements CanActivate {
constructor(private reflector: Reflector) {}
canActivate(context: ExecutionContext): boolean {
const requiredRoles = this.reflector.get<string[]>('roles', context.getHandler());
if (!requiredRoles) return true;
const { user } = context.switchToHttp().getRequest();
return requiredRoles.some(role => user.roles?.includes(role));
}
}
PAM (Privileged Access Management)¶
- Password vaulting - encrypted credential storage
- Session recording - audit admin sessions
- Just-in-time access - temporary privilege elevation with approval
- Credential rotation - automatic password changes
- Break-glass procedures - emergency access with full audit trail
Gotchas¶
- JWT tokens cannot be revoked once issued - use short expiration + refresh tokens
- Storing JWT in localStorage is XSS-vulnerable; HttpOnly cookies are safer but need CSRF protection
- OAuth implicit flow is deprecated - always use Authorization Code + PKCE
- Kerberos clock skew > 5 minutes causes authentication failures
- "Remember me" cookies must still be invalidated on password change
See Also¶
- cryptography and pki - underlying crypto mechanisms
- web application security fundamentals - session management, CSRF
- active directory attacks - Kerberoasting, Golden Ticket
- windows security and powershell - Windows auth internals, SAM, LSASS